Summarized web edition
This page is the concise web copy of the full RAILS research paper. The complete whitepaper expands the analysis, source notes, implementation artifacts, and appendices for board, legal, security, and technical review.
The RAILS Framework
A capability-without-custody architecture for safe, compliant, and responsible agentic AI in real estate.
A governance and technical framework for boards, MLSs, brokerages, professional associations, regulators, and technology vendors.

The boundary
AI may receive capabilities. It must not receive custody.
The control
Policy, identity, and authorization remain outside the model.
The accountability
Licensed humans and approved platforms retain consequential authority.
This is a governance and technical architecture proposal, not legal advice and not an adopted industry standard. Any implementation must be validated against the laws, professional rules, data agreements, consent obligations, and vendor contracts that apply in its jurisdiction.
Realtors already crossed the AI adoption threshold. Governance has not.
Boards are not deciding whether members will begin using AI. Members are already using it in production work, often through general-purpose tools that sit outside a board-defined identity, permission, retention, provenance, and audit layer.
82%
of surveyed U.S. NAR-member real estate professionals said they currently use AI.
68%
reported using AI daily or several times per week.
63%
named accuracy or reliability as a concern.
49%
named compliance or legal issues as a concern.
The RPR 2026 AI Adoption Survey also found that 92% use AI now or plan to, 71% identify time savings as its leading value, and 68% save at least one hour per week. The survey was self-reported by 225 U.S. NAR-member real estate professionals, so it should not be generalized as a census of every market. Read the full RPR survey .
Interactive evidence review · Q5–Q13
Adoption is broad, frequent, valuable—and already touching higher-risk work
Select any bar, point, segment, or response label to inspect its exact share and count. Question-level respondent totals vary from 196 to 223; multi-select questions do not sum to 100%.
Types of AI tools agents have used
Writing tools (social posts, emails, descriptions): 77.93% (173 respondents). The category describes tool type, not the data entered into it.
Where AI is already affecting the real estate workflow
RAILS groups the survey’s tasks by workflow family; the horizontal position is the exact reported share. The grouping is analytical, not an additional survey measure.
Content
Communication
Market & property
Pipeline
No active use
Other
Writing listing descriptions: 68.47% (152 respondents).
Frequency of AI use for real estate tasks
Daily: 81 respondents. Daily plus several-times-weekly use totals 68.16%.
Average time saved each week
None: 28 respondents. The source report rounds this combined result to 68%.
Confidence using AI-generated content with clients
Stacked confidence distribution. Select a segment for its exact response.
Somewhat confident: 80 respondents. Confident plus very confident totals 47.53%; the remaining 52.46% were somewhat or not confident.
Where agents feel AI delivers value
Saving time: 70.97% (154 respondents). Productivity dominates, but almost one-third already cite pricing and market analysis.
Concerns about using AI in real estate
Accuracy of outputs: 63.47% (139 respondents). Accuracy, compliance, and market-data interpretation are governance problems, not prompt-writing problems.
Capabilities agents want RPR to expand
More CMA enhancements: 66.84% (131 respondents). The two leading requests move directly toward pricing and market interpretation.
Biggest barrier to using AI more regularly
I do not have any major barriers: 33.64% (74 respondents). No major barriers is the largest single response, but it is a 33.64% plurality—not a majority.
The survey does not directly measure board oversight. The governance conclusion is an inference: when adoption is already embedded in member workflows, the practical choice is no longer AI versus no AI. It is governed, permissioned paths versus unmanaged workarounds with weaker visibility and fewer shared controls. What members can already delegate is measurable: HomieBench v3 benchmarks eight frontier models across 100 supervised realtor workflows.
The detailed answers sharpen that inference. In Q5, 38.74% reported using market analysis or pricing tools and 22.52% reported AI CMA tools. In Q7, 30.63% reported analyzing market trends and 24.32% reported running CMAs or pricing conversations. One qualitative respondent also said they use AI heavily when processing trends from MLS data. The survey does not establish how common it is for members to paste MLS, client, or transaction data into a model, but it demonstrates enough high-stakes use to make data-flow controls urgent.
Training, retrieval, and live data are different mechanisms.
A realtor entering information into a consumer AI service can create confidentiality, retention, and model-improvement risk depending on the product and account settings. It does not give the base model a real-time private IDX connection, and it does not explain every current market answer. OpenAI says individual-service content may be used to improve models unless the user opts out, while its business products and API are excluded by default; Anthropic likewise distinguishes consumer choices from commercial products. Up-to-date answers may instead come from web search, a connected tool, a public webpage, or context supplied in the current conversation. See the official data-use explanations from OpenAI and Anthropic , plus the current-search documentation for ChatGPT and Claude .
Adoption is ahead of governance. Waiting does not preserve the status quo; it cedes the control surface.
Abstract
Agentic AI is becoming an interface through which consumers and professionals discover information, compare options, make decisions, and initiate action. In real estate, the interface that captures the question also captures commercially valuable intent: preferences, search refinements, objections, timelines, affordability constraints, and next steps.
Boards and MLSs therefore face two risks at once. Blanket prohibition can push members toward ungoverned consumer tools and workarounds. Unrestricted access can transfer protected listing, client, and transaction data into systems that were not designed to govern it. Neither extreme is durable.
The AI may receive capabilities. It must not receive custody.
RAILS—the proposed Realtor Agentic Interoperability Layer Standard—keeps protected data in its proper system of record while exposing narrowly scoped, identity-bound, purpose-bound, auditable capabilities. Models may search, summarize, prepare, validate, or request an action. They do not receive feed credentials, become the CRM, persist a shadow listing database, create the authoritative contract in an unapproved sandbox, or apply a signature.
The result is a model-agnostic architecture that combines zero trust, least privilege, purpose limitation, split-channel secure rendering, deterministic computation, human approval for consequential actions, immutable audit events, and capability-level vendor certification.
The risk is interface displacement—not simply data access.
Organized real estate was built around cooperation: competing professionals shared inventory under common rules for attribution, access, display, accountability, and data quality. That cooperative infrastructure also created an information advantage. AI and open distribution are reducing the marginal cost of basic access and interpretation.
Figure 1
Where professional value moves
Historic value stack
Durable professional value
The professional does not disappear when information becomes cheaper. The professional’s comparative advantage moves toward fiduciary alignment, judgement under uncertainty, negotiation, risk ownership, service coordination, and accountable execution. The board’s advantage changes in parallel: from information scarcity toward identity, permission, provenance, quality, interoperability, auditability, and revocation.
The market is already showing this shift. In October 2025, Zillow and OpenAI launched a conversational listing experience inside ChatGPT. Zillow says it controls the rendered experience, does not send OpenAI a raw MLS feed, and preserves MLS attribution and field controls. That architecture is a live example of a capability being made available without transferring feed custody. See the primary announcements from Zillow and Zillow’s industry explanation .
In June 2026, HouseCanary described a national expansion of Google’s mobile home-discovery program using listings from participating MLSs with broker and agent attribution. The announcement is evidence of real-estate discovery moving into a horizontal intent layer, although it should not be read as proof of any architecture beyond what the publisher describes. See the HouseCanary announcement .
Tool-connected AI is also becoming portable. OpenAI’s Apps SDK is built on the Model Context Protocol; Anthropic describes MCP as an open standard for connecting AI systems to external tools and data. These facts do not prove that every portal will integrate with every model. They do establish the interface pattern: natural-language request, controlled tool call, external system, structured result, and rendered experience. See OpenAI and Anthropic .
Figure 2
The board’s strategic choice
Controlled stagnation
Restrictions hold, but useful member workflows remain underdeveloped.
Interface displacement
Members adopt workarounds while external platforms capture intent and workflow.
Governed innovation
Certified tools improve member capability while boards retain policy control.
Partial alignment
Approved paths exist, but external incentives still require active oversight.
The choice is not “AI or no AI.” It is whether adoption happens inside a governable perimeter or outside one. Governed access creates new diligence and enforcement work, but it also gives boards a path to set requirements, certify capabilities, monitor use, revoke access, and keep professional accountability visible.
Capability, not custody
Custody exists when a model provider, agentic harness, or vendor application can persist, redistribute, train on, broadly index, or become an alternate source of truth for protected data. Capability exists when an authenticated actor can request one defined business action through a controlled service with bounded input, output, purpose, retention, and side effects.
Figure 3
Capability crosses the boundary. Custody does not.
CRM
Client and consent records
MLS / IDX / VOW / DDF
Listing and market data
Transaction platform
Authoritative documents
Policy & capability gateway
- Identity + purpose
- Field minimization
- Rate + scope limits
- Approval + audit
Agentic interface
Receives a bounded result, opaque reference, secure view, or approved action status—not raw feeds, signing keys, or authoritative custody.
Good capability design
- listings.search_display
- cma.prepare
- market_stats.calculate
- crm.task_create
- transaction.validate
- transaction.dispatch_approved
Unsafe generic access
- run_sql
- download_feed
- export_all_contacts
- read_any_record
- sign_document
- unrestricted_browser
Every capability should declare its eligible actors, allowed purpose codes, data classes, result ceilings, risk tier, human approval requirement, retention class, audit events, failure behaviour, and revocation path. Credentials remain at the gateway or system of record; they never enter model context.
- The model is never the system of record.
- Protected data is purpose-bound and minimized.
- Credentials and signing keys never enter model context.
- Deterministic services calculate and validate where correctness matters.
- Consequential actions remain attributable to an authorized human.
- Every access is observable, revocable, and auditable.
- Interfaces remain model-agnostic to reduce platform lock-in.
- Human-rights, privacy, and professional duties are enforced by design.
Three protected data domains, three proper systems of record
A workable policy must stop treating “real-estate data” as a single class. Listing, client, and transaction data carry different permissions, risks, and authoritative systems. RAILS applies the same boundary to all three while preserving those differences.
Consumer and client data
Identity, contact, finances, motivations, search preferences, consent, notes, and communications.
- System of record
- Approved CRM or brokerage business system.
- Permit
- Minimum fields for a declared task; pseudonymous references; scoped task, note, or draft creation.
- Prohibit
- Database copies in prompts or memory; unrestricted search; cross-tenant access; training or feedback use.
Listing and market data
Active and historical listings, media, remarks, sold data, showing data, statistics, and display instructions.
- System of record
- Board/MLS source and approved IDX, VOW, DDF, RESO-aligned, or participant application.
- Permit
- Permissioned search, secure rendering, deterministic CMA/statistics, and opaque report references.
- Prohibit
- Raw feed transfer, generic SQL, bulk extraction, confidential-field leakage, shadow indexes, or unauthorized scraping.
Transaction and contract data
Agreements, offers, amendments, disclosures, signatures, dates, review records, and correspondence.
- System of record
- Approved forms, transaction-management, document-management, compliance, or e-signature platform.
- Permit
- Form selection, proposed fields, validation, exact-version review, and approved platform dispatch.
- Prohibit
- Authoritative documents in an AI sandbox; autonomous signature or delivery; post-approval mutation.
Split-channel secure rendering
Protected listing detail does not always need to enter the model’s natural-language context. The model can receive a count, an opaque widget reference, policy metadata, and a secure view URL. The user interface then retrieves the authorized listing component directly from the IDX, VOW, DDF, brokerage, or board-controlled origin. The display channel and the model channel remain separate.
This pattern is compatible with existing permission-based distribution models. CREA describes REALTOR.ca DDF® as a managed, permission-based service in which broker owners control how listing content is shared. RESO publishes current Web API and Data Dictionary specifications that can provide common vocabulary for capability schemas. See CREA DDF® and RESO specifications .
Figure 6
Prepare → review → approve → commit
Prepare
AI proposes structured fields
Render
Approved platform builds exact version
Validate
Rules, dates and required fields
Review
Licensed human sees immutable artifact
Approve
Approval binds to document hash
Commit
Platform dispatches and archives
A trust architecture around the model—not inside it
RAILS separates probabilistic interpretation from identity, authorization, calculation, recordkeeping, and binding execution. A model may infer what a user is trying to achieve; it does not decide whether the user is entitled to achieve it.
Figure 4
RAILS reference architecture
Experience
Professional workspace, consumer portal, mobile app
Orchestration
Planning, model routing, task state, tool selection
Policy & identity
OIDC/OAuth, MFA, roles, attributes, purpose, consent
Capability gateway
Fixed schemas, field filters, limits, approval gates
Systems of record
Listing, CRM, forms, transaction, document and signature platforms
Audit, provenance & incident
Trace IDs, hashes, policy versions, anomaly detection, revocation
The policy and identity plane evaluates the subject, action, resource, data class, purpose, consent, jurisdiction, time, and risk tier. The capability gateway then asks the authoritative application to perform the action. The default response is the minimum sufficient projection—not the entire underlying resource.
allow = policy(
subject,
action,
resource,
data_class,
purpose,
consent,
jurisdiction,
time,
risk_tier
)
result = minimize(authoritative_data, purpose, role, consent, policy)This architecture follows the same direction as zero-trust systems: no implicit trust based on location or ownership, explicit authentication and authorization, and policy focused on users, services, and resources. NIST SP 800-207A further describes granular application-level policy enforcement through gateways and service identities. See NIST SP 800-207 and NIST SP 800-207A .
The coding agent may change the IDX website. The IDX website must control the live data.
Realtors and brokerages already use authorized IDX websites and applications to present listing information under applicable agreements, board rules, display requirements, and participant control. Coding agents can also modify website code. RAILS combines those facts without creating a new raw-data entitlement: the approved IDX application remains the only runtime permitted to hold credentials, query live listing data, enforce field and display rules, and render the result.
NAR’s current IDX policy describes authorized display through participant-controlled websites, mobile apps, and other approved mechanisms, requires the participant to control how listings are displayed, and states that MLS database access may not be given to an unauthorized person or entity. See NAR IDX Policy Statement 7.58 . In Canada, CREA describes DDF® as a permission-based distribution service and a Member Website Feed for listing display on a member-controlled website; see REALTOR.ca DDF® .
Figure 5
The controlled IDX website boundary
Board / MLS source
Listing data, credentials, field permissions, refresh, attribution, and distribution rules remain protected.
Approved IDX website / application
Live query
Executes server-side
Policy
Applies display rules
Render
Returns coded outcome
Consumer or realtor page
Buyer search, neighbourhood page, property experience, or deterministic home evaluation with current permitted data.
Coding agent
Edits templates, components, schemas, tests, mock fixtures, and approved query definitions. It does not receive feed credentials, query the live database, or ingest the raw IDX payload.
The coding agent changes the experience. The approved IDX application controls the data.
The model may help create a custom buyer-search page, neighbourhood experience, listing comparison, property page, or deterministic home-evaluation workflow. It can edit React components, templates, schemas, tests, mock fixtures, explanatory copy, and approved parameterized query definitions. It must not receive the raw feed, reuse feed credentials, query the live database, create a shadow index, or copy bulk listing data into model memory.
Permitted development plane
Documented schemas, approved SDKs, redacted fixtures, mock listing records, component code, query definitions, validation, display tests, and deployment review.
Protected runtime plane
Feed credentials, live IDX payloads, confidential fields, database access, refresh, attribution, field entitlements, rate limits, consumer audit, and production queries.
Coded buyer-search outcome
The agent builds the page and constrained filters. The IDX server validates the query, executes it live, and renders current permitted listings.
Coded home-evaluation outcome
The agent builds the intake and explanation. Approved services retrieve permitted inputs and run deterministic calculations, with provenance and licensed review.
capability: idx.page.render
actor: participant_controlled_website
agent_visibility: [schema, mock_fixture, query_definition, rendered_metadata]
agent_prohibited: [feed_credential, live_database, raw_payload, bulk_export]
runtime:
execute_query: approved_idx_application
enforce: [field_permissions, attribution, freshness, display_rules, rate_limits]
output:
returns: [rendered_page_ref, result_count, data_as_of, provenance]
deployment:
tests_required: [query_bounds, prohibited_filters, attribution, stale_data, extraction]
human_approval: requiredRESO notes that its Web API can execute live queries for immediate results in web applications and defines an IDX payload as the structured fields needed for display on an IDX website. RAILS places that live query and payload handling inside the authorized application boundary—not inside model context. See the RESO Web API overview .
- The website or approved application—not the model—is the data recipient and runtime.
- The coding agent receives schemas, fixtures, and opaque result references, not feed credentials.
- Live queries execute server-side under participant identity, purpose, and policy.
- Rendered pages preserve attribution, freshness, filtering, display, and access requirements.
- Every deployed code or query-definition change is tested, reviewed, versioned, and reversible.
- Boards can audit and revoke the application capability without granting access to the model.
A Realtor Agent Capability Catalogue for showings, CRM follow-up, social media, and conversations
RAILS is not only a listing-search architecture. The same capability-without-custody boundary applies to the repetitive workflows that realtor tools are beginning to automate. Each workflow needs a named action, authorized actor, purpose, minimum data, deterministic checks, human boundary, audit event, and revocation path.
Showing coordination
Read permissioned availability; request, reschedule, or cancel; reconcile calendars; securely render instructions; record every decision.
CRM follow-up
Create tasks, notes, appointments, and bounded stage changes in Follow Up Boss, HighLevel, Lofty, BoldTrail, or another approved CRM.
Social production
Transform approved source material, verify facts and rights, obtain human approval, publish through official APIs, and store post provenance.
DM and conversation handoff
Respond within channel rules, capture explicit lead information, stop on opt-out or ambiguity, and transfer consequential advice to a realtor.
AI showing booking for Zillow, ShowingTime, BrokerBay, and Touchbase
Showing coordination is a high-value candidate for a board-defined API profile because the workflow crosses listing permissions, realtor identity, buyer context, calendars, seller instructions, appointment status, lockbox information, and feedback. Zillow’s Real-Time Touring currently uses ShowingTime availability and can synchronize booking changes between the Zillow Premier Agent experience and ShowingTime. See Zillow Real-Time Touring . ShowingTime has also described real-time availability for broker and agent websites through an API; see the ShowingTime announcement .
BrokerBay and Touchbase are important showing-management systems in Canadian and North American markets. Their public sites describe appointment scheduling, confirmations, availability, instructions, feedback, and brokerage/board workflows, but a consistently documented self-serve developer surface is not evident for every use case. Boards and vendors should expose permissioned capabilities rather than forcing innovators to infer access from the user interface. See BrokerBay and Touchbase showing workflows .
In the absence of a supported interface, some teams experiment with agentic browser use through development harnesses. That workaround can inherit a realtor’s broad session, break on interface changes, mishandle MFA, duplicate appointments, expose confidential showing instructions, or violate platform terms. Browser automation may be useful for a supervised prototype, but it should not become the industry’s default showing control plane.
profile: rails/1.0
capability: showing.request_create
eligible_roles: [licensed_realtor, authorized_assistant]
required_scopes: [showing:availability_read, showing:request_create]
input:
listing_ref: opaque
requested_slots_max: 3
buyer_context_ref: crm-scoped
idempotency_key: required
policy:
listing_status_current: required
calendar_conflict_check: required
agency_and_consent_state: required
output:
returns: [request_ref, status, expiry, secure_instruction_ref]
model_visibility: no_lockbox_or_confidential_instructions
human_review: required_on_exception
audit: append_only
revocation: immediate- showing.availability_read
- showing.request_create
- showing.request_reschedule
- showing.request_cancel
- showing.instructions_render_secure
- showing.feedback_submit
AI Follow Up Boss, AI GoHighLevel, AI Lofty CRM, AI kvCORE / BoldTrail, Sierra Interactive, CINC, Real Geeks, BoomTown, Wise Agent, and Top Producer
Search demand is clustering around specific realtor tools, but the governance unit should remain the capability. The 84-system integration directory maps this landscape with documented access status for every system. Follow Up Boss documents a REST API and signed webhooks. HighLevel exposes contacts, conversations, calendars, opportunities, payments, and a broad webhook catalogue. Lofty documents developer access to leads, listings, transactions, communications, and AI features. BoldTrail is the current ecosystem name associated with kvCORE. Sierra Interactive, CINC, Real Geeks, BoomTown, Wise Agent, Top Producer, HubSpot, Salesforce, and other CRMs vary in partner access, object coverage, and commercial terms.
RAILS should make those differences explicit while preserving common actions: crm.person_match, crm.note_create, crm.task_create, crm.appointment_create, crm.stage_propose, and crm.opt_out_record. See the developer materials for Follow Up Boss , HighLevel , and Lofty .
AI social media for realtors: OpusClip, SumoClip, Higgsfield, Zernio, and ManyChat
A governed social agent can transform approved source material with AI clipping, create disclosed synthetic assets or presenter variants, obtain exact-artifact human approval, publish through official platform APIs, manage permitted comment and DM workflows, and write qualified leads back to the CRM. It should not scrape social dashboards, invent listing facts, reuse media without rights, impersonate a realtor, or continue a conversation outside platform and consent rules.
The follow-up Homies Research paper, The Real Estate Social Media AI Agent Stack, covers OpusClip, SumoClip, Supo, Higgsfield AI clones, the Zernio API, ManyChat, CRM integration, cost, measurement, and human-review controls in detail.
“We do not train on your data” is not a retention policy
A model request necessarily processes some input during inference. “No data in the model” is therefore useful shorthand but not an enforceable specification. The policy must enumerate every place protected information may persist.
Training and fine-tuning
Provider abuse-monitoring logs
Conversation history
Model memory
Assistant or thread state
Files and vector stores
Prompt caches
Tracing and observability
Tool, connector, browser, and subprocessor logs
A defensible vendor matrix identifies retention by endpoint and feature, training and feedback status, memory defaults, file lifecycle, cache behaviour, trace redaction, human-review exposure, subprocessors, residency, deletion verification, encryption, and incident obligations. Consumer accounts should not be used for protected workflows.
In Canada, organizations subject to PIPEDA must address accountability, identified purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, access, and challenge rights. Provincial law and sector-specific rules may also apply. See the Office of the Privacy Commissioner of Canada .
The proposed rule is precise: protected real-estate data may not be used for training, fine-tuning, model improvement, feedback, persistent memory, reusable retrieval indexes, model-managed files, or long-lived application state unless every party with the legal authority to permit that use has done so. Transient processing must be minimized, purpose-bound, encrypted, contractually protected, and subject to the shortest available retention.
Agentic systems expand the attack surface because they can act
Traditional application security remains necessary, but an agent adds instruction interpretation, tool selection, workflow state, and cross-system action. Controls must assume that retrieved content can be hostile and that a fluent model output can still be wrong or manipulative.
| Threat | Real-estate failure mode | Required controls |
|---|---|---|
| Prompt injection | Malicious instructions in remarks, CRM notes, email, documents, or webpages. | Treat retrieved content as data; isolate instructions; external policy engine; fixed output schemas. |
| Tool misuse | A legitimate capability is called with dangerous parameters, frequency, or scale. | Server-side validation, result ceilings, query budgets, rate limits, read/write separation, confirmation. |
| Identity and privilege abuse | A user, model, or connector exceeds its role, tenant, purpose, or jurisdiction. | Short-lived tokens, audience restriction, per-tool scopes, tenant isolation, step-up authentication. |
| Supply-chain compromise | A tool, MCP server, package, or vendor integration changes or is subverted. | Approved registry, pinned versions, signed manifests, SBOM/AIBOM, monitoring, emergency revocation. |
| Unexpected code execution | A production agent obtains shell, filesystem, or unrestricted network access. | No production shell, sandboxed execution, egress allowlists, ephemeral compute, reviewed deployment paths. |
| Memory and context poisoning | False or hostile state is stored and reused as if authoritative. | No protected-workflow long-term memory; authoritative records; signed provenance; expiry and reconciliation. |
| Human trust exploitation | A plausible explanation is mistaken for legal, valuation, or compliance authority. | Source and freshness display, uncertainty, review checklists, and friction for consequential actions. |
The OWASP Top 10 for Agentic Applications 2026 provides a useful cross-industry baseline. NIST’s voluntary Generative AI Profile organizes risk work around governance, mapping, measurement, and management. RAILS translates those foundations into real-estate-specific data and action boundaries; it does not replace either framework.
Audit events should be append-only and include trace ID, actor, tenant, capability, purpose, risk tier, resource reference, request/response hashes, policy version, authorization result, approval reference, outcome, and retention class. Raw protected payloads should not be logged by default.
Models may explain. Authoritative systems must calculate and verify.
A model can help a professional reason about a result, but it should not free-form a CMA, filing deadline, disclosure decision, binding form, or protected-field determination. Deterministic services should calculate comparable filters, distances, date windows, prices, adjustments, mortgage figures, taxes, deadlines, required fields, signature completeness, and document hashes.
- Source
- Authoritative system and record reference
- Time
- Retrieved at and data-as-of timestamps
- Permission
- Actor, tenant, purpose, and field context
- Versions
- Policy, tool, calculation, and schema
- Method
- Material assumptions and result limits
- Review
- Human-review requirement and approval ID
{
"result_ref": "cma_01J...",
"source": "approved-vow-service",
"retrieved_at": "2026-07-14T14:21:08Z",
"data_as_of": "2026-07-14T14:19:55Z",
"policy_version": "board-agentic-policy-1.2",
"tool_version": "cma-service-3.4.1",
"calculation_version": "adjustments-2.0",
"model_visibility": "metadata_only",
"human_review_required": true
}Objective criteria, explainable trade-offs, and anti-steering by design
Agentic interfaces can amplify discrimination when they accept protected-class preferences, infer them from proxies, or translate vague language into demographic steering. The design rule is consistent even where specific protected grounds differ: do not accept, infer, optimize, or conceal protected-class criteria.
Unsafe request
“Find me a family neighbourhood without immigrants.”
Required transformation
Reject the protected-class criterion. Offer objective alternatives such as budget, commute, property type, accessibility, lot size, parks, transit, or other legally appropriate housing attributes.
- Maintain prohibited-feature and proxy-feature catalogues.
- Log the objective criteria that include or exclude each result.
- Explain trade-offs rather than rank communities as good or bad.
- Test recommendations and ad delivery for disparate patterns.
- Escalate ambiguous requests to an authorized human.
- Apply the specific law and professional rule of each jurisdiction.
Ontario’s Human Rights Code protects equal treatment in buying, selling, and renting housing on Code-protected grounds. In the United States, HUD guidance identifies risks including denying housing information, differential terms, and steering through digital advertising. See the Ontario Human Rights Commission and HUD’s digital-platform guidance . Implementers must verify current local law rather than reuse either list as a universal rule.
Certify capabilities—not vendors in the abstract
A vendor may be suitable for secure listing rendering and unsuitable for transaction dispatch. A brokerage tool may be approved to create a CRM task and prohibited from bulk export. Certification should therefore attach to a capability, data class, actor, purpose, and risk tier—not to a logo.
| Tier | Class | Examples | Approval boundary |
|---|---|---|---|
| 0 | Prohibited | Raw-feed transfer, training on protected data, autonomous signatures, cross-tenant access | None |
| 1 | Read and navigate | Public/permissioned search, source attribution, secure rendering | Review before reliance |
| 2 | Authenticated analysis | VOW search, CMA preparation, market statistics, deterministic calculations | Human review before sharing |
| 3 | Workflow write-back | CRM notes, tasks, drafts, scheduling, bounded internal updates | Confirm external communication |
| 4 | Transaction preparation | Form selection, field population, clause proposal, validation | Licensed-human review required |
| 5 | Binding or external action | Send for signature, deliver an offer/notice, release confidential information | Step-up auth + exact-version approval |
Figure 8
Higher capability buys a heavier human gate
Prohibited
No path to approval
Raw-feed transfer, training on protected data, autonomous signatures
Read and navigate
Review before reliance
Permissioned search, attribution, secure rendering
Authenticated analysis
Human review before sharing
VOW search, CMA preparation, deterministic statistics
Workflow write-back
Confirm external communication
CRM notes, tasks, drafts, bounded internal updates
Transaction preparation
Licensed-human review required
Form selection, field population, clause proposal
Binding or external action
Step-up auth + exact-version approval
Send for signature, deliver an offer, release confidential information
Evidence should include architecture and data-flow diagrams, a field-level data inventory, model and subprocessor lists, retention matrices, training-use commitments, tenant-isolation tests, OAuth scopes, tool schemas, red-team results, fair-housing or human-rights testing, approval design, audit-event catalogues, incident response, business continuity, kill-switch procedures, deletion evidence, and software/AI bills of materials.
From feed governance to capability infrastructure
The same institutions that created permissioned distribution can expose controlled search, valuation support, statistics, geographic intelligence, rendering, compliance validation, attribution, and provenance endpoints. The strategic product is no longer only a feed. It is a governed capability platform that lets new interfaces operate on board-defined terms.
The model is not the accountable actor.
A model cannot hold a licence, professional insurance, a fiduciary duty, or disciplinary responsibility. The registrant, brokerage, board, and vendor retain the obligations their roles create.
A one-year path from policy inventory to transaction preparation
The safest adoption path increases capability only after the preceding control layer has been demonstrated. Boards should begin with inventory and a narrow read-only path, not a high-risk transaction automation showcase.
- 0–90 daysPhase 1
Policy and inventory
Map systems and data classes; identify shadow AI; define prohibited uses; create legal, privacy, security, technical, and member governance.
- 90–180 daysPhase 2
Read-only pilot
Certify a narrow search and secure-rendering path; test injection, bulk extraction, attribution, freshness, field permissions, and revocation.
- 180–270 daysPhase 3
Analytics and CRM
Add deterministic CMA/statistics and purpose-bound CRM tools; implement shared audit events and privacy-impact review.
- 270–365 daysPhase 4
Transaction preparation
Integrate approved forms platforms; bind human approval to immutable document versions; keep dispatch platform-side.
- Year 2Phase 5
Standards and scale
Publish an Agentic Access Profile, align schemas with RESO concepts, support multiple vendors, and operate red-team and incident-sharing programs.
Keeping the human in the loop: safe integration in one workflow
The tier progression stays abstract until it is applied to a single consequential workflow. Take the one members care about most: writing an offer.
In the first phase, the AI writes the offer inside a supervised harness, and the realtor does everything else: uploads the document into the approved platform, reviews it, and completes the signing flow themselves. The model’s autonomy ends at the draft. Review is enforced by the physics of the workflow, because nothing reaches a client that the realtor did not personally move and sign.
In the second phase, the AI writes the offer, uploads it, and routes it for signature. One rule changes: the signing order. The document goes to the realtor before the client. By signing first, the realtor legally binds themselves to the AI-prepared instrument before the client ever sees it. Accountability stops being a procedural checkbox and becomes a property of the instrument itself.
Figure 7
The human stays in the loop. The loop moves earlier.
AI drafts. The realtor executes everything.
AI writes the offer
Draft prepared from approved forms and validated fields
Realtor uploads it
The licensed human moves the document into the platform
Realtor signs
Review happens with hands on the instrument
Client signs
The client receives a human-executed document
AI drafts and dispatches. The realtor signs first.
AI writes the offer
Same drafting capability, same approved forms
AI uploads and routes
The platform receives the exact version for signature
Realtor signs first
The licensee binds themselves to the AI output before the client sees it
Client signs
The client only ever receives a realtor-executed document
The pattern generalizes across every tier in this framework. As autonomy increases, the human checkpoint does not disappear; it moves earlier and its consequences get heavier. The AI may earn more of a workflow only where the accountable human’s commitment is captured by a mechanism that cannot be skipped: a signature order, a document hash, a step-up approval. Section 14 shows the hash-bound version of the same idea, where approval binds to the exact document version and any later mutation invalidates it.
Phase two does not remove the human. It moves the signature earlier, so the licensee is bound to the AI’s work before the client ever sees it.
Success metrics should be operational: policy violations prevented, field-minimization rate, attribution correctness, tool-call failure rate, human-review completion, revocation time, incident detection time, unauthorized extraction resistance, and member time saved—not raw prompt volume.
Model policy clauses for counsel and rulemaking teams
The following clauses are starting points for jurisdiction-specific drafting. They are deliberately technology-neutral and preserve existing duties.
General authorization
A participant may use an approved agentic AI system to search, summarize, analyze, render, prepare, or initiate actions involving authorized data, provided the participant remains responsible and all existing data-use, display, privacy, professional-conduct, attribution, security, and supervision requirements continue to apply.
System of record
The agentic system must not serve as the authoritative repository for listing, client, or transaction data. Such data must remain within a board-approved, brokerage-approved, or legally authorized system of record.
Training and retention
Protected data may not be used to train, fine-tune, improve, evaluate, or provide feedback to a model unless expressly authorized by every party with the legal right to authorize that use. Persistent memory and unapproved retrieval storage are prohibited for protected workflows.
Listing boundary
Raw feeds, feed credentials, and bulk listing datasets may not be provided to a model or agentic harness. Access must occur through approved, narrowly scoped tools that preserve field permissions, display rules, attribution, freshness, and participant control.
IDX website execution boundary
An approved coding agent may prepare or modify participant-controlled IDX website code, templates, components, schemas, tests, and parameterized query definitions. Live listing queries, feed credentials, raw payloads, confidential fields, and database access must remain within the approved IDX application, which must enforce current field permissions, attribution, freshness, display, security, extraction, and audit requirements.
Client boundary
Client and consumer data must remain in an approved CRM or business system. Agentic access must be purpose-limited, consent-aware, least-privileged, logged, and restricted to the minimum information necessary.
Transaction boundary
Authoritative transaction instruments must be generated, versioned, stored, and executed within an approved platform. No potentially binding document may be issued or sent for signature without affirmative review and approval of the exact version by an authorized licensed human.
Audit and revocation
The board or MLS may require audit records reasonably necessary to investigate suspected misuse and may suspend or revoke a tool, integration, vendor, or participant capability where data security, consumer protection, or rule compliance is at risk.
A concrete, testable Agentic Access Profile
Natural-language policies are necessary but insufficient. Each approved capability should have a machine-readable profile that certification tests can exercise.
profile: rails/1.0
capability: cma.prepare
risk_tier: 2
eligible_roles: [licensed_realtor]
required_scopes: [cma:prepare]
purpose_codes: [seller_evaluation, buyer_analysis, brokerage_review]
input:
schema: cma-request/2.1
max_records: 50
output:
model_visibility: metadata_only
returns: [cma_ref, secure_view_url, expiry, provenance]
human_review: required_before_share
retention_class: audit_metadata_only
revocation: immediateFor transactions, approval must bind to an immutable artifact. A later mutation must invalidate the approval and force a new review.
function dispatchApproved(documentBytes, approval) {
assert(approval.expiresAt > now())
assert(sha256(documentBytes) === approval.documentSha256)
assert(currentActor.id === approval.reviewerId)
assert(policyAllows("transaction.dispatch", approval.purpose))
// The approved platform holds the signing credential.
return transactionPlatform.dispatch(documentBytes, approval.id)
}Production implementations should use asymmetric signatures or a managed key service, short-lived tokens, replay protection, step-up authentication, and explicit audience and tenant binding. Samples in this paper illustrate control shape; they are not production security code.
Conformance tests
Schema bounds, permission denial, field leakage, bulk extraction, failure state, and audit completeness.
Policy tests
Purpose, jurisdiction, consent, risk tier, approval, revocation, and protected-feature transformations.
Security tests
Direct and indirect injection, privilege escalation, connector compromise, exfiltration, and trace redaction.
Governance tests
Vendor-change notices, model changes, subprocessors, deletion evidence, incident drills, and kill-switch timing.
Organized real estate can govern the interface shift without surrendering the record
Consumers will choose convenient interfaces. Professionals will choose tools that save time. Portals and model providers will continue competing for the point at which intent becomes workflow. The durable response is not to pretend that shift can be stopped. It is to define the trust infrastructure through which it operates.
The useful boundary is custody versus capability; persistent storage versus controlled transient processing; autonomous action versus accountable approval; probabilistic explanation versus deterministic calculation; and ungoverned distribution versus auditable access.
Better interfaces should operate through board-defined trust—not around it.
Boards that define identity, permission, provenance, quality, interoperability, auditability, certification, and revocation can protect data while improving member capability. Boards that focus only on yesterday’s interface may preserve the feed while losing influence over tomorrow’s consumer journey.
Questions
Frequently asked questions about RAILS
What is the RAILS Framework?
RAILS, the Realtor Agentic Interoperability Layer Standard, is a proposed governance and technical architecture for agentic AI in real estate. It lets AI systems do useful member work through narrow, permissioned capabilities while custody of listing, client, and transaction data stays in board-approved systems of record.
What does capability without custody mean?
An AI system can be granted a bounded capability, such as running a permissioned listing search or preparing a CMA, without ever holding the underlying dataset, feed credentials, or authoritative record. Capability crosses the trust boundary. Custody does not.
Can an AI agent sign or send an offer under RAILS?
No. Binding and external actions sit in the highest capability tier, which requires step-up authentication and human approval bound to the exact document version. A licensed human signs before a client ever sees an AI-prepared instrument, and a later mutation of the document invalidates the approval.
How does a realtor keep a human in the loop without losing the speed benefits?
By moving the checkpoint instead of removing it. In an early phase the AI drafts the offer and the realtor uploads and signs it manually. In a later phase the AI drafts and routes the document, but the realtor signs first, legally binding themselves to the AI output before the client sees it. Autonomy grows only where a stronger accountability mechanism replaces the manual one.
Is client or MLS data used to train the models?
RAILS prohibits using protected data to train, fine-tune, improve, or evaluate a model unless every party with the legal right to authorize that use has done so. The framework also treats retention as its own control surface, separate from training claims, across nine distinct places data can persist.
Who is RAILS for?
Boards, MLSs, brokerages, professional associations, regulators, and technology vendors that need a shared vocabulary of protected data domains, capability tiers, approval boundaries, certification evidence, and audit requirements for agentic AI.
Selected primary sources and standards
Product claims are factual only to the extent supported by the linked publisher. The RAILS architecture, tiers, policy language, and roadmap are proposals by the authors. Legal requirements vary and must be re-verified before adoption.
- 01
- 02
- 03
- 04
- 05
- 06
- 07
- 08
OpenAI
ChatGPT Search - 09
Anthropic
Consumer data-use choices for Claude - 10
Anthropic
Enabling and using web search - 11
- 12
- 13
- 14
Follow Up Boss
REST API and webhook documentation - 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
CREA
REALTOR.ca DDF® - 24
OPC Canada
PIPEDA requirements in brief - 25
- 26